From 8208a3b4a642b19ebf112d29f4b3f4feae1a6011 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Wed, 19 Aug 2015 14:43:14 +0200
Subject: [PATCH] improve the usability of `ipa user-del --preserve` command
`ipa user-del` with `--preserve` option will now process multiple entries and
handle `--continue` option in a manner analogous to `ipa user-del` in normal
mode.
In addition, it is now no longer possible to permanently delete a user by
accidentally running `ipa user-del --preserve` twice.
https://fedorahosted.org/freeipa/ticket/5234
https://fedorahosted.org/freeipa/ticket/5236
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
---
ipalib/plugins/user.py | 123 ++++++++++++++++++++++++++-----------------------
1 file changed, 66 insertions(+), 57 deletions(-)
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index d7cf9666d43b69b0cab91cfa0c98a8373f095ab5..cb47cbb4869cb978f87603817033580647cc2d17 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -593,6 +593,60 @@ class user_del(baseuser_del):
),
)
+ def _preserve_user(self, pkey, delete_container, **options):
+ assert isinstance(delete_container, DN)
+
+ dn = self.obj.get_either_dn(pkey, **options)
+ delete_dn = DN(dn[0], delete_container)
+ ldap = self.obj.backend
+ self.log.debug("preserve move %s -> %s" % (dn, delete_dn))
+
+ if dn.endswith(delete_container):
+ raise errors.ExecutionError(
+ _('%s: user is already preserved' % pkey)
+ )
+ # Check that this value is a Active user
+ try:
+ original_entry_attrs = self._exc_wrapper(
+ pkey, options, ldap.get_entry)(dn, ['dn'])
+ except errors.NotFound:
+ self.obj.handle_not_found(pkey)
+
+ # start to move the entry to Delete container
+ self._exc_wrapper(pkey, options, ldap.move_entry)(dn, delete_dn,
+ del_old=True)
+
+ # Then clear the credential attributes
+ attrs_to_clear = ['krbPrincipalKey', 'krbLastPwdChange',
+ 'krbPasswordExpiration', 'userPassword']
+
+ entry_attrs = self._exc_wrapper(pkey, options, ldap.get_entry)(
+ delete_dn, attrs_to_clear)
+
+ clearedCredential = False
+ for attr in attrs_to_clear:
+ if attr.lower() in entry_attrs:
+ del entry_attrs[attr]
+ clearedCredential = True
+ if clearedCredential:
+ self._exc_wrapper(pkey, options, ldap.update_entry)(entry_attrs)
+
+ # Then restore some original entry attributes
+ attrs_to_restore = ['secretary', 'managedby', 'manager', 'ipauniqueid',
+ 'uidnumber', 'gidnumber', 'passwordHistory']
+
+ entry_attrs = self._exc_wrapper(
+ pkey, options, ldap.get_entry)(delete_dn, attrs_to_restore)
+
+ restoreAttr = False
+ for attr in attrs_to_restore:
+ if ((attr.lower() in original_entry_attrs) and
+ not (attr.lower() in entry_attrs)):
+ restoreAttr = True
+ entry_attrs[attr.lower()] = original_entry_attrs[attr.lower()]
+ if restoreAttr:
+ self._exc_wrapper(pkey, options, ldap.update_entry)(entry_attrs)
+
def forward(self, *keys, **options):
if self.api.env.context == 'cli':
if options['no_preserve'] and options['preserve']:
@@ -633,68 +687,23 @@ class user_del(baseuser_del):
def execute(self, *keys, **options):
- dn = self.obj.get_either_dn(*keys, **options)
-
# We are going to permanent delete or the user is already in the delete container.
delete_container = DN(self.obj.delete_container_dn, self.api.env.basedn)
- user_from_delete_container = dn.endswith(delete_container)
-
- if not options.get('preserve', True) or user_from_delete_container:
- # Remove any ID overrides tied with this user
- remove_ipaobject_overrides(self.obj.backend, self.obj.api, dn)
-
- # Issue a true DEL on that entry
- return super(user_del, self).execute(*keys, **options)
# The user to delete is active and there is no 'no_preserve' option
if options.get('preserve', False):
-
- ldap = self.obj.backend
-
- # need to handle multiple keys (e.g. keys[-1]=(u'tb8', u'tb9')..
- active_dn = self.obj.get_either_dn(*keys, **options)
- superior_dn = DN(self.obj.delete_container_dn, api.env.basedn)
- delete_dn = DN(active_dn[0], self.obj.delete_container_dn, api.env.basedn)
- self.log.debug("preserve move %s -> %s" % (active_dn, delete_dn))
-
- # Check that this value is a Active user
- try:
- original_entry_attrs = self._exc_wrapper(keys, options, ldap.get_entry)(active_dn, ['dn'])
- except errors.NotFound:
- raise
-
- # start to move the entry to Delete container
- self._exc_wrapper(keys, options, ldap.move_entry)(active_dn, delete_dn, del_old=True)
-
- # Then clear the credential attributes
- attrs_to_clear = ['krbPrincipalKey', 'krbLastPwdChange', 'krbPasswordExpiration', 'userPassword']
- try:
- entry_attrs = self._exc_wrapper(keys, options, ldap.get_entry)(delete_dn, attrs_to_clear)
- except errors.NotFound:
- raise
- clearedCredential = False
- for attr in attrs_to_clear:
- if attr.lower() in entry_attrs:
- del entry_attrs[attr]
- clearedCredential = True
- if clearedCredential:
- self._exc_wrapper(keys, options, ldap.update_entry)(entry_attrs)
-
- # Then restore some original entry attributes
- attrs_to_restore = [ 'secretary', 'managedby', 'manager', 'ipauniqueid', 'uidnumber', 'gidnumber', 'passwordHistory']
- try:
- entry_attrs = self._exc_wrapper(keys, options, ldap.get_entry)(delete_dn, attrs_to_restore)
- except errors.NotFound:
- raise
- restoreAttr = False
- for attr in attrs_to_restore:
- if (attr.lower() in original_entry_attrs) and not (attr.lower() in entry_attrs):
- restoreAttr = True
- entry_attrs[attr.lower()] = original_entry_attrs[attr.lower()]
- if restoreAttr:
- self._exc_wrapper(keys, options, ldap.update_entry)(entry_attrs)
-
- val = dict(result=dict(failed=[]), value=[keys[-1][0]])
+ failed = []
+ preserved = []
+ for pkey in keys[-1]:
+ try:
+ self._preserve_user(pkey, delete_container, **options)
+ preserved.append(pkey_to_value(pkey, options))
+ except:
+ if not options.get('continue', False):
+ raise
+ failed.append(pkey_to_value(pkey, options))
+
+ val = dict(result=dict(failed=failed), value=preserved)
return val
else:
return super(user_del, self).execute(*keys, **options)
--
2.4.3